Security

 View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Post-Authentication Session-Check in MAC auth workflow

This thread has been viewed 25 times
  • 1.  Post-Authentication Session-Check in MAC auth workflow

    Posted Aug 04, 2022 06:51 PM
    Hey Airheads,

    I'm trying to build up a PoC whic requires  Guest + MAC auth but with a limitation on concurrent sessions.

    Understanding you can perform unique device checks during the registration / MAC caching process to prevent the devices from being enrolled, i have a scenario where i'm using Azure AD logins for a BYOD workflow. This means we can't do the usual pre-auth application enforcement in ClearPass to check the unique device count in the endpoint repo.

    So what i'm trying to do is deliver a solution where users can auth as many devices  though Azure but they can only have 2-3 connected concurrently.

    My idea was to use the post authentication session-check enforcement to identify excess concurrent sessions and disconnect those in excess of the limit.

    Despite my best efforts i can't seem to get CPPPM to take any action when too many devices are connected under one account.

    Has anybody got this working? I'm playing in 6.10.5 version.

    Radius accounting is enabled and can see the device records











  • 2.  RE: Post-Authentication Session-Check in MAC auth workflow

    EMPLOYEE
    Posted Aug 04, 2022 07:25 PM
    Do you have radius interim accounting also enabled on the NAS?

    EDIT:  Do you also have COA configured?

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 3.  RE: Post-Authentication Session-Check in MAC auth workflow

    Posted Aug 04, 2022 07:33 PM
    interim accounting is enabled on NAS (AP-503H in Central with AOS 10)



    i've even gone so far as to run the Active-Sessions query directly against insight using PGadmin and its correctly returning the active-session count








  • 4.  RE: Post-Authentication Session-Check in MAC auth workflow

    Posted Aug 04, 2022 11:54 PM

    Hi Colin,

     

    Yes COA is enabled and working manually from access tracker.

     

    Scott

     






  • 5.  RE: Post-Authentication Session-Check in MAC auth workflow

    EMPLOYEE
    Posted Aug 08, 2022 08:37 AM
    Do you see the 'RADIUS Dynamic Authorization' tab showing up in Access Tracker for clients that you expect to be CoA-ed?

    It's important to understand if the CoA does not trigger, or if it doesn't work. If manual works, the chances are better that the CoA does not even trigger, in which case going through the logs (Collect Logs) then the events you are looking for are (probably, couldn't check) in the logfile postauthctrl.log. Aruba Support can assist in this as well as reading these logfiles are not something most customers/parters are used to.
    '

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------